Li Finance, a DEX aggregator, reported a hacking attack in which 205 ETH (~$591,630) were stolen from 29 wallets connected to the service. The project team closed the exploit and reimbursed the losses to most users.
TLDR:
• ~$600K have been stolen from 29 wallets
• User don\’t have to do anything
• Bug has been fixed and is already deployedhttps://t.co/fqOxJxDrZs— LI.FI — Any-2-Any Swaps (🦎,🦎) (@lifiprotocol) March 21, 2022
According to the report, on March 20 the attacker exploited a vulnerability in the Li Finance smart contract that allowed transferring assets from user wallets that had granted unlimited approval to the protocol.
An analyst from the investment firm Paradigm, known by the handle t11s, pointed out that even a thorough audit might not have detected this exploit. He said the bug in Li Finance\’s code would be easy to miss and is ‘subtle if you\’re not in the right mindset’.
not a dunk on LiFi btw, i\’ve implemented the same flaw in my own code in the past and have missed it when reviewing other\’s too.
it\’s subtle if you\’re not in the right mindset, which is why we need to get the word out
— t11s (@transmissions11) March 20, 2022
When the project team learned of the incident, they disabled all swaps on the platform. However, the hacker managed to withdraw about $600,000 in tokens, including USD Coin (USDC), Polygon (MATIC), Tether (USDT) and others.
The stolen assets were converted to Ethereum. The cryptocurrency remains at his address.
Li Finance stated that they reimbursed the losses of 25 wallets totaling $80,000. The remaining four wallets account for about $517,000 of the stolen funds. The team contacted the owners of the addresses and offered them ‘special’ compensation:
“To reduce the damage to our treasury, we propose converting the lost funds into Li Finance angel investments and into future Li.Fi tokens on the same terms as for our investors in the current funding round. … However, the final decision remains with the users.”
Li Finance specialists also contacted the hacker to return the stolen assets for a reward.
The Umbrella Network decentralised oracle service also reported a breach. The attacker exploited the vulnerability in the staking contracts for the liquidity provider pools on Ethereum and BNB.
Dear Umbrella Community
Earlier today, hackers managed to exploit our Polar Stream staking contracts on both Ethereum and BNB Chain and drained the LP tokens staked in both of the contracts. The hacker then withdrew liquidity using those stolen LP tokens from both the UMB-ETH
— Umbrella Network (@UmbNetwork) March 20, 2022
As a result of the attack, the hacker withdrew tokens from these pools. The team said the attacker moved more than 2.2 million UMB on the open market. PeckShield analysts put the damage at $700,000.
#SafeMath# matters!The @UmbNetwork reward pools are drained at both @BNBCHAIN and @ethereum, leading to the ~$700K gain for the hacker! The hack is possible because of an unchecked underflow in withdraw() so that anyone can withdraw any amount even without any balance! pic.twitter.com/SF38DNzJY6
— PeckShield Inc. (@peckshield) March 20, 2022
Umbrella Network pledged to compensate all affected users. The team also stressed that other smart contracts in the protocol were not affected.
The investigation is ongoing, with further details promised for release later.
As reported, in March 2022 hackers stole $11 million as a result of the breaches of DeFi protocols Agave and Hundred Finance.